magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-25 17:46:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup omen

Browse source 
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
magic_rb 2024-03-02 23:09:25 +01:00
parent c45d848571
commit d89deacd3e
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
8 changed files with 9 additions and 290 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
nixos/systems/omen/default.nix
View file

@ -50,31 +50,15 @@ in {
./users.nix ./users.nix
./nixpkgs.nix ./nixpkgs.nix
./firewall.nix ./firewall.nix
./microvm.nix
./impermenance.nix ./impermenance.nix
./numen.nix
../../../overlays/ifstate/module.nix ../../../overlays/ifstate/module.nix
# ./test-vm.nix # ./test-vm.nix
inputs.microvm.nixosModules.host
inputs.notnft.nixosModules.default inputs.notnft.nixosModules.default
inputs.self.nixosModules.notnft inputs.self.nixosModules.notnft
inputs.self.nixosModules.microvm-extras-host
inputs.impermenance.nixosModules.impermanence inputs.impermenance.nixosModules.impermanence
]; ];
_module.args.nixinate = {
host = secret.network.ips.omen.vpn or "";
sshUser = "main";
buildOn = "local";
substituteOnTarget = true;
hermetic = false;
nixOptions = [
"--override-input secret path://$HOME/dotfiles/secret"
];
};
services.fwupd.enable = true; services.fwupd.enable = true;
services.syncthing = { services.syncthing = {
@ -94,24 +78,6 @@ in {
]; ];
environment.systemPackages = [ environment.systemPackages = [
# (pkgs.man-pages.overrideAttrs (old: rec {
# version = "6.05.01";
# src = pkgs.fetchurl {
# url = "mirror://kernel/linux/docs/man-pages/${old.pname}-${version}.tar.xz";
# hash = "sha256-uWq2tEpojJHRtXLlL+zlGeHP0rtMM/5wFPw/0e8/nK4=";
# };
# nativeBuildInputs = with pkgs; [
# git
# (pkgs.callPackage inputs.nixpkgs-272363.legacyPackages.${pkgs.stdenv.system}.groff.override {})
# ];
# }))
# (pkgs.man-pages-posix.overrideAttrs (old: rec {
# version = "2021-02-14";
# src = pkgs.fetchurl {
# url = "mirror://kernel/linux/docs/man-pages/man-pages-posix/${old.pname}-${version}.tar.xz";
# hash = "";
# };
# }))
pkgs.man-pages-posix pkgs.man-pages-posix
]; ];
documentation.dev.enable = true; documentation.dev.enable = true;
@ -122,28 +88,6 @@ in {
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
system.stateVersion = "23.05"; system.stateVersion = "23.05";
security.pam.services.sshd.rules.session.pam_exec = let
sudoLogin = pkgs.writeShellScript "sudologin" ''
echo TESTING > /tmp/pamtest
'';
in {
modulePath = "pam_exec.so";
args = [(toString sudoLogin)];
control = "optional";
order = config.security.pam.services.sshd.rules.session.limits.order + 10;
};
security.pam.services.sudo.rules.session.pam_exec = let
sudoLogin = pkgs.writeShellScript "sudologin" ''
echo TESTING > /tmp/pamtest
'';
in {
modulePath = "pam_exec.so";
args = [(toString sudoLogin)];
control = "optional";
order = config.security.pam.services.sudo.rules.session.limits.order + 10;
};
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
virtualisation.podman.defaultNetwork.settings.subnets = [ virtualisation.podman.defaultNetwork.settings.subnets = [

9
nixos/systems/omen/firewall.nix
View file

@ -6,11 +6,15 @@
... ...
}: { }: {
networking.notnft.postStop = '' networking.notnft.postStop = ''
# ${lib.getExe' pkgs.podman "podman"} network reload -a if systemctl status podman ; then
${lib.getExe' pkgs.podman "podman"} network reload -a
fi
''; '';
networking.notnft.postStart = '' networking.notnft.postStart = ''
# ${lib.getExe' pkgs.podman "podman"} network reload -a if systemctl status podman ; then
${lib.getExe' pkgs.podman "podman"} network reload -a
fi
''; '';
networking.notnft.rules = let networking.notnft.rules = let
@ -33,7 +37,6 @@
[(is.eq meta.oifname "uk3s0") (mangle meta.nftrace 1)] [(is.eq meta.oifname "uk3s0") (mangle meta.nftrace 1)]
[(is.eq meta.iifname "uk3s0") (mangle meta.nftrace 1)]; [(is.eq meta.iifname "uk3s0") (mangle meta.nftrace 1)];
in in
# pkgs.writeText "nftables.json" (builtins.toJSON (with notnft.dsl; with payload; ruleset
with notnft.dsl; with notnft.dsl;
with payload; with payload;
ruleset { ruleset {

62
nixos/systems/omen/hardware.nix
View file

@ -60,68 +60,6 @@ in {
hardware.tuxedo-keyboard.enable = true; hardware.tuxedo-keyboard.enable = true;
# specialisation.nvidia-sync.configuration = {
# environment.variables.NIXOS_SPECIALIZATION = "nvidia-sync";
# boot.loader.grub.enable = mkOverride 0 false;
# hardware.nvidia = {
# powerManagement.enable = mkForce false;
# powerManagement.finegrained = mkForce false;
# prime.offload.enableOffloadCmd = mkForce false;
# prime.offload.enable = mkForce false;
# prime.sync.enable = true;
# };
# };
# specialisation.nouveau.configuration = {
# environment.variables.NIXOS_SPECIALIZATION = "nouveau";
# boot.loader.grub.enable = mkOverride 0 false;
# hardware.nvidia = mapAttrs (_: v: mkForce v) {
# powerManagement.enable = false;
# powerManagement.finegrained = false;
# prime.offload.enableOffloadCmd = false;
# prime.offload.enable = false;
# nvidiaPersistenced = false;
# prime.reverseSync.enable = false;
# };
# services.xserver.videoDrivers = mkForce ["modesetting" "nouveau"];
# };
# specialisation.no-nvidia.configuration = {
# environment.variables.NIXOS_SPECIALIZATION = "no-nvidia";
# boot.loader.grub.enable = mkOverride 0 false;
# hardware.nvidia = mapAttrs (_: v: mkForce v) {
# powerManagement.enable = false;
# powerManagement.finegrained = false;
# prime.offload.enableOffloadCmd = false;
# prime.offload.enable = false;
# nvidiaPersistenced = false;
# prime.reverseSync.enable = false;
# };
# services.xserver.videoDrivers = mkForce ["modesetting"];
# boot.extraModprobeConfig = ''
# blacklist nouveau
# options nouveau modeset=0
# '';
# services.udev.extraRules = ''
# # Remove NVIDIA USB xHCI Host Controller devices, if present
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{power/control}="auto", ATTR{remove}="1"
# # Remove NVIDIA USB Type-C UCSI devices, if present
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{power/control}="auto", ATTR{remove}="1"
# # Remove NVIDIA Audio devices, if present
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{power/control}="auto", ATTR{remove}="1"
# # Remove NVIDIA VGA/3D controller devices
# ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x03[0-9]*", ATTR{power/control}="auto", ATTR{remove}="1"
# '';
# boot.blacklistedKernelModules = ["nouveau" "nvidia" "nvidia_drm" "nvidia_modeset"];
# };
hardware.nvidia = { hardware.nvidia = {
nvidiaPersistenced = true; nvidiaPersistenced = true;

4
nixos/systems/omen/impermenance.nix
View file

@ -108,8 +108,8 @@ in {
serviceConfig.ExecStart = "/bin/sh ${rollbackStart}"; serviceConfig.ExecStart = "/bin/sh ${rollbackStart}";
}; };
systemd.services."mount-old-homes" = { systemd.services."mount-old-datasets" = {
description = "Mount old versions of home dataset"; description = "Mount old versions of datasets";
wantedBy = ["local-fs.target"]; wantedBy = ["local-fs.target"];
after = ["local-fs.target"]; after = ["local-fs.target"];

138
nixos/systems/omen/microvm.nix
View file

@ -1,138 +0,0 @@
{
pkgs,
inputs',
...
}: {
environment.systemPackages = [
inputs'.microvm.packages.${pkgs.stdenv.system}.microvm
];
services.ifstate = {
enable = true;
settings = {
ignore.ifname = [
"^wlan0$"
"^mvm0$"
"^wg0$"
"^mvm-test$"
"^lo$"
];
interfaces = [
{
name = "test-veth1";
link = {
kind = "veth";
peer = "test-veth0";
peer_netns = "tenant1";
};
}
];
namespaces.tenant1.interfaces = [
{
name = "test-veth0";
link = {
kind = "veth";
peer = "test-veth1";
peer_netns = null;
};
}
];
};
};
systemd.network.netdevs."mvm0" = {
netdevConfig = {
Name = "mvm0";
Kind = "bridge";
};
};
systemd.network.networks."10-mvm0" = {
matchConfig.Name = "mvm0";
networkConfig.Address = "10.80.1.1/24";
linkConfig.RequiredForOnline = "yes";
};
systemd.network.networks."11-mvm-test" = {
matchConfig.Name = "mvm-test";
networkConfig.Bridge = "mvm0";
linkConfig.RequiredForOnline = "no";
};
microvm.services.tcpUdp.test-ssh = {
hostName = "test";
port = 22;
protocol = ["tcp"];
};
microvm.services.http.test = {
hostName = "test";
port = 80;
};
microvm.services.icmp.test = {
hostName = "test";
};
microvm.connections.http = [
{
target = "test";
}
];
microvm.connections.tcpUdp = [
{
target = "test-ssh";
}
];
microvm.connections.icmp = [
{
target = "test";
}
];
microvm.vms = {
test.config = {
imports = [inputs'.self.nixosModules.microvm-extras];
microvm = {
hostName = "test";
hostsHostName = "omen";
groupId = 1;
taskId = 2;
};
microvm.hypervisor = "cloud-hypervisor";
microvm.shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
];
microvm.storeOnDisk = false;
networking.firewall.allowedTCPPorts = [80 22];
services.nginx = {
enable = true;
virtualHosts."example.com" = {
root = "/var/www/blog";
};
};
users.users.root.password = "";
services.getty.helpLine = ''
Log in as "root" with an empty password.
'';
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
system.stateVersion = "23.05";
};
};
}

10
nixos/systems/omen/networking.nix
View file

@ -26,16 +26,6 @@ in {
useDHCP = false; useDHCP = false;
}; };
networking.notnft.rules = with notnft.dsl;
with payload;
ruleset {
filter = add table {family = f: f.inet;} {
trace =
add chain
[(is.eq ip.protocol (f: f.icmp)) (mangle meta.nftrace 1)];
};
};
services.networkd-dispatcher = { services.networkd-dispatcher = {
enable = true; enable = true;
rules.wlan-eth-switch = { rules.wlan-eth-switch = {

18
nixos/systems/omen/numen.nix
View file

@ -1,18 +0,0 @@
{
pkgs,
inputs',
...
}: {
services.udev.extraRules = ''
KERNEL=="uinput", GROUP="input", MODE="0660", OPTIONS+="static_node=uinput"
'';
users.users.main = {
extraGroups = [
"input"
];
};
environment.systemPackages = [
inputs'.numen-nix.packages.${pkgs.stdenv.system}.default
];
}

2
nixos/systems/omen/users.nix
View file

@ -18,6 +18,6 @@
home-manager.users.main = { home-manager.users.main = {
imports = [(inputs'.self + "/home-manager/modules/profiles/workstation.nix")]; imports = [(inputs'.self + "/home-manager/modules/profiles/workstation.nix")];
home.stateVersion = "21.05"; home.stateVersion = "23.11";
}; };
} }